The Intelligence Corner

Our experts’ unique discoveries, observations, and opinions on what’s trending today in Business Risk Intelligence and the Deep & Dark Web.

Search results
Posts of Vitali Kremez

TreasureHunter Point-of-Sale Malware and Builder Source Code Leaked

The source code for a longstanding point-of-sale (PoS) malware family called TreasureHunter has been leaked on a top-tier Russian-speaking forum. Compounding the issue is the coinciding leak by the same actor of the source code for the malware’s graphical user interface builder and administrator panel. The availability of both code bases lowers the barrier for […]

Read more

‘Rubella Macro Builder’ Crimeware Kit Emerges on Underground

A crimeware kit dubbed the Rubella Macro Builder has recently been gaining popularity among members of a top-tier Russian hacking forum. Despite being relatively new and unsophisticated, the kit has a clear appeal for cybercriminals: it’s cheap, fast, and can defeat basic static antivirus detection. First offered for sale in late February for the relatively […]

Read more

Compromised Magento Sites Delivering Malware

Ecommerce websites running on the popular open-source Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency. Researchers at Flashpoint are aware of the compromise of at least 1,000 Magento admin panels, and said that interest in […]

Read more

Targeted Attacks Against South Korean Entities May Have Been as Early as November 2017

On January 31, 2018, KrCERT/CC, the Republic of Korea’s (South Korea) Computer Emergency Response Team, released a notice regarding an Adobe Flash vulnerability, designated CVE-2018-4878. The notice stated that this zero-day vulnerability affects all versions of Adobe Flash Player ActiveX up to 28.0.0.137, which Adobe released on January 9, 2018. KrCERT/CC recommended uninstalling Flash Player […]

Read more

Trickbot Gang Evolves, Incorporates Account Checking Into Hybrid Attack Model

Individuals who reuse login credentials across multiple sites are more susceptible to account checking attacks, which occur when threat actors use credentials stolen from past database breaches or compromises to gain unauthorized access to other accounts belonging to the same victims. However, the process of mining compromised data for correct username and password combinations requires […]

Read more

“Ultimate Anonymity Services” Shop Offers Cybercriminals International RDPs

October 24, 2017

Dark Web marketplaces selling access to compromised Remote Desktop Protocol (RDP) servers have become increasingly popular in the cybercriminal ecosystem over the past several years. UAS — which stands for “Ultimate Anonymity Services” — is one such popular cybercriminal RDP shop that has been online since February 16, 2016.  UAS offers SOCKs proxies in addition to over […]

Read more

How Ransomware has become an ‘Ethical’ Dilemma in the Eastern European Underground

September 20, 2017

It’s no secret that the Deep & Dark Web (DDW) is home to illicit marketplaces and forums, as well as an array of cybercriminal communications. Less obvious, however, are the nuances of these communications, the unspoken code of conduct that exists in cybercriminal communities, and the “ethical” dilemma that certain types of attacks can cause. […]

Read more

New Version of “Trickbot” Adds Worm Propagation Module

July 27, 2017

On July 27, 2017, in coordination with Luciano Martins, Director of Cyber Risk Services at Deloitte, Flashpoint observed a new version – “1000029” – of the formidable “Trickbot” banking Trojan with a new “worm64Dll” module, spread via the email spam vector, impersonating invoices from a large international financial institution. Image 1: The latest Trickbot tt0002 […]

Read more

With a boost from Necurs, Trickbot expands its targeting to numerous U.S. financial institutions

The Necurs botnet first emerged in 2012 and has since become notorious for powering massive, malware-laden spam campaigns. Although the botnet’s historical association with Locky and Jaff Ransomware has long raised concerns from organizations across all sectors, Necurs is now delivering a different type of malware that poses a threat specifically to the financial sector: […]

Read more

“Necurs” Botnet Fuels Massive Spam Campaigns Spreading “Jaff” Ransomware

Starting on May 11, 2017, Flashpoint analysts observed several large spam campaigns originating from the Necurs botnet that aim to dupe recipients into opening malicious attachments that infect their computers with “Jaff” ransomware. These spam campaigns feature a multi-stage infection chain including a PDF file, a malicious Microsoft Office document, and finally, the Jaff ransomware […]

Read more